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TRANSFER OF SECURITY ASSOCIATION DURING A MOBILE 
TERMINAL HANDOVER 

FIELD OF THE INVENTION 

This invention relates to radio communications systems of which a wireless 
local area network (WLAN) is a non-limiting example. More specifically this 
invention relates to providing information security when a mobile terminal is 
handed-over from a first base station or access point (AP) to a second base 
station or access point (AP). 

BACKGROUND OF THE INVENTION 

In a minimum configuration, a communication system is formed by a 
transmitting station and a receiving station that are interconnected by a 
communication channel. Communication signals generated by the 
transmitting station are transmitted upon the communication channel and 
received by the receiving station. 

In a radio communication system at least a portion of the communication 
channel is formed by a portion of the electromagnetic spectrum. Increased 
mobility of communications is permitted in a radio communication system 
because a fixed or a hard-wired connection is not required between the 
transmitting and receiving stations. 

A cellular communication system, of which a cellular telephone system is an 
example, is an example of a radio communication system. When the mobile 
terminal of a subscriber to a cellular communication system is physically 
positioned at almost any location throughout an area thai is encompassed by 
the network infrastructure of the cellular communication system, the mobile 
terminal is able to communicate by way of the cellular communication system 
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with another mobile terminal. 

The network infrastructure of an exemplary wireless communication system 
includes physically spaced-apart base stations or access points (APs) which 
5 each include a transceiver. In such an exemplary system, each base station or 
AP defines a geographic area or cell of the communications system. As a first 
mobile terminal is used to communicate with a second mobile terminal, and as 
the first mobile terminal travels or moves between the cells of the system, 
uninterrupted communication is possible by handing-over communications 
10 from one base station to another base station. Such a communication 
handover is provided by a handover process. 

A High Performance radio Local Area Network such as HIPERLAN type-2 
supports three kinds of handover. HIPERLAN/2 PROVIDES HIGH SPEED 

15 (typically 25 Mb/'s data rate) communications between portable devices and 
broadband IP, ATM and UMTS networks, and is capable of supporting 
multiple media applications, with the typical application being indoors. 
HIPERLAN/2 provides local wireless access to different infrastructure 
networks (e.g. IP, ATM and UMTS) by moving and stationary terminals that 

20 interact with access points which, in turn, usually are connected to an IP, 

ATM, or UMTS backbone. A number of access points are required to service 
the network. The wireless network as a whole supports handovers of 
connections between access points to provide mobility. Typical operating 
environments include business networks and domestic premises networks. An 

25 overview of HIPERLAN/2 access networks is provided by the European 
Telecommunications Standards Institute (ETS1) document DTR/BRAN- 
00230002, 1998, incorporated herein by reference. 

Depending upon the mobile terminal's handover decision, sector handover 
30 (inter-sector), radio handover (inter access point transceiver.- inter access point 
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handover), network handover (inter access point/inter network handover) or 
forced handover may occur in accordance with HIPERLAN/2. 

Prior to the execution of a handover, the mobile terminal must gather relevant 
5 measurements on the frequency that is used by the current access point, us 
well as on the frequencies that are used by access points that are candidates 
for a handover. Measurements on the serving frequency can be carried out by 
the mobile terminal while it is synchronized to the current access point. 
However, in order to measure the frequency of neighboring access points, the 
10 mobile terminal must be temporarily absent from the current access point. 

During a mobile terminal absent procedure the mobile terminal is temporarily- 
disconnected from the current access point, in order that the mobile terminal 
can perform measurements on neighboring access points. During this time, 

15 no communication between the mobile terminal and the current access point is 
possible. As part of this absent procedure, the mobile terminal tells the 
current access point that it will be absent for n-frames. During this absent 
period, the mobile terminal cannot be reached by the current access point. 
After the absent period, the current access point may trigger a mobile terminal 

20 alive sequence to check if the mobile terminal is available. 

During a sector handover the antenna sector of the access point is changed, 
and the same access point controls the entire handover. After a successful 
sector handover, the mobile terminal communicates via the new sector. 

25 A radio handover relates to access points having more than one transceiver 
per access point, for example two access point transceivers and one access 
point controller. Radio handover is performed when a mobile terminal 
moves from a coverage area of one access point to another coverage area that 
is served by the same access point. Since radio handover can be performed 

30 within the data link control (DLC) layer, higher layer protocols (HI.) are not 
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involved. When the mobile terminal detects the need for a handover to 
another access point controller, the mobile terminal may still synchronize to 
the current access point. In this case the mobile terminal may notify its 
access point controller that the mobile terminal will perform a handover to 
5 another access point controller. In the case of a radio handover all relevant 
information about on-going connections, security parameters, etc. are 
available in the access point, so that this information is not re-negotiated. 



A network handover is carried out when a mobile terminal moves from one 
10 access point to another access point. Since the mobile terminal leaves the 
serving area of a radio control link (RLC) instance, a network handover 
involves the convergence layer (CL) and the HL (as may be needed), as well 
as DLCI. To maintain HL association and connections, specific signaling via 
the backbone may be needed. When the mobile terminal detects the need for 
15 handover to another (target) access point, the mobile terminal may still be 
synchronized to the current access point. In this case, the mobile terminal 
may notify the current access point that it will perform a handover to another 
access point. The notified access point shall then stop transmitting to that 
mobile terminal, but shall maintain association for a specified time, when 
20 indicated. 



Forced handover gives a current access point the opportunity to order a 
certain mobile terminal to leave the current access point's cell. A forced 
handover is initiated by the access point sending a Forcellandover signal 
25 the mobile terminal. In one procedure the mobile terminal performs a non 
handover and leaves its old cell, regardless of whether it finds a new cell, 
a second procedure the mobile terminal has the opportunity to come back 
the old access point if handover fails. 
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For further discussion of HIPLERLAN/2 features see the Broadband Radio 
Access Networks (BRAN); HIPERLAN type 2 Functional Specification; 
Radio Link Control (RLC) that are provided by the ETSI standardization 
organization, incorporated herein by reference. 

Several types of wireless communication systems have been implemented, 
and others have been proposed, to encompass limited geographic areas, for 
example a limited area that is encompassed by a building or by an office 
workplace within a building. Wireless communication systems such as 
microcellular networks, private networks, and WLANs are exemplary of such 
systems. 

Wireless communication systems are typically constructed pursuant to 
standards that are promulgated by a regulatory or a quasi-regulatory body. 
For instance, the IEEE 802.1 1 standard promulgated by the IEEE (Institute of 
Electrical and Electronic Engineering) is a wireless local area network (LAN) 
standard pertaining generally to the commercial 2.4 GHz wireless LAN. The 
802.1 1 standard specifies an interface between a wireless terminal and a base 
station or access point, as well as among wireless terminals. Standards 
pertaining to a physical layer and a media access control (MAC) layer are set 
forth in such a standard. This standard permits automatic medium sharing 
between different devices that include compatible physical layers. 
Asynchronous data transfer is provided for in ihe standard, generally by way 
of the MAC layer, utilizing a carrier sense multiple access with collision 
avoidance (CSMA/CA) communication scheme. 

While the IEEE 802.1 1 standard provides for wireless communications 
through the use of mobile terminals thai are constructed to be mutually 
operable pursuant to such a standard, the standard does not adequately 
provide for real time wireless services. For instance, in an implementation of 
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ihe standard a significant loss of quality is sometimes experienced during 
handover of communications from one AP to another A P. Excessive numbers 
of data frames are susceptible to being lost or delayed, resulting in the loss of 
communication quality, or even termination of communications. 
5 Operational modes different than that set forth in the IEEE 802.1 1 standard 
are therefore required, particularly for real time wireless services. 
Proprietary functions have been proposed which permit improved quality of 
communications as compared to operation pursuant to the existing IEEE 
802.1 1 standard. APs and mobile terminals that are operable to perform such 
10 proprietary functions are referred to as being proprietary mode capable. 

However, both ends of a communication pair, consisting of a mobile terminal 
and the AP through which the mobile terminal communicates, must be 
capable of operation in the proprietary mode. If both ends of the 

15 communication pair are not together operable pursuant to>the proprietary 
mode, conventional operation pursuant to the IEEE 802.1 1 standard is 
required. Therefore, prior to permitting both ends of the communication pair 
to operate in the proprietary mode, a determination must be made of the 
ability of both ends of the communication pair together to be operable 

20 pursuant to the proprietary mode. 

The above mentioned copending patent application provides apparatus that is 
operable to identify whether both ends of the communication pair are together 
operable in the proprietary mode, the apparatus operating to activate both 
25 ends of the communication pair to operate in the proprietary mode when it is 
determined that pair-compatibility exits, and the apparatus thereafter 
operating to maintain the proprietary mode operation during handover 
procedures should a mobile terminal physically move from a cell that is 
serviced by a first AP to a cell that is served by a second AP. 
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!n addition to the valuable features that are provided by the apparatus of this 
copending application, it would be desirable u> re-establish a security 
association as such an AP-to-AP handover occurs. 

5 Many customers, and particularly business environments, require a high 

degree of data security, and this data security cannot be compromised by use 
of a WLAN installation. Since access 10 the W'l.AN cannot be restricted 
physically, it is customary to use crytographical methods to protect 
transmitted data and network elements. Current IEEE 802.1 1 and ITEF 
10 Internet standards offer two complementary mechanisms for providing secure 
data communications over a wireless link. i.e. Internet Protocol Security 
(IPSEC). 1PSEC is an IP-based security protocol that provides FOR secure 
communication between two IP hosts. A common use of the IPSEC protocol 
is in the building of Virtual Private Networks (VPNs). 

' 5 

In WLAN systems the IPsec protocol can be used to provide end-to-end 
security for data packets, this security being provided by authenticating 
and/or encrypting the transmitted data packets. IPsec uses symmetric 
cryptography that requires use of the same encryption and/or authentication 
20 key at both ends of a communication link. Scalable key management 

protocols such as IKE can be used to generate the symmetric keys for an 
IPsec stack. 

While the Internet Key Exchange (IKE) key management protocol is useful 
25 for the establishment of an IP level security association during an initial 

mobile-terminal/access-point association, when the need for a communication 
handover occurs, the use of IKE or other similar protocols inflicts a 
considerable time delay on accomplishing the handover since such protocols 
require the exchange of multiple messages, the their use of public key 
30 encryption requires very heavy compulation. Since a handover of the payload 
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,„ffic can be resumed only after an active sccurny assocauon ha, been 
established between .he new-AP and ,he mobile .ermina,. .he use .1 .he IKE 
key management protocol or other -eh protocols presents problems dunng 
the handover. 

When any securtly protocol with a dynamic encryption key. i.e. ™ 
dependent dynamic Uey, ,s applied between a mobtle termina, and an AP. .. ,s 
destrable to ftnd a mechanism lor the transfer of an acttve secnr.ty assocauon 

Utat is provided by the wireless rad.o network or system. 

„ is in ,i«h. of this background information that the present tnvention 
provides^ .ow or short delay method/apparatus for the key management and 
se curi,y assoctation re-es.ab.ishmeu, during a WLAN commnnicatton 
handover, wheretn there is no need to modify the end-to-end secunty 
assocatton during handover (e.g. iPsec pay.oad connections between he 
m obile termina, and a server), and wherein the handover affects on y .he 
securtty functtons between the mobile termtnal and the new and old APs. 

SUMMARY OF THE INVENTIOM 

rh-. 1PFF SC 11 2.4 GHz 

This invention relates to rad.o commun.cat.ons. to the 1LEL bU-. 
WLAN standard, to high performance radio local area networks 
(HIPERLANs), to the ETS1 HIPERLAN type 2 standard, and to 1PSEC .eve, 
security association between a wireless temttnal and network elements. The 
inve nfton finds utility in any ,P based wtreless network, exam -»« <^ 
ine ,.d. ETSI BRAN and IEEE 802.,.. .n addition the inventton „n s .,.,.» 
when a mohtle termina, moves between two IPSEC route, entities where a 
wire ,css termtna, communicates with a„ endpoin, that is no, a wtreless 
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The present invention provides an efficient method/apparatus for re- 
establishing an existing security association when a handover event occurs in 
a radio communications system such as an IEEE S02. 1 1 or a HIPERLAN 
Operation of this invention increases handover performance, and minimizes 
the delay that is associated with re-negotiating an security association 
between a new AP and a mobile terminal. 

The invention provides an efficient way to maintain an established security 
association between a mobile terminal and the wireless communication 
network when a handover occurs within the network. An example of the 
utility of the invention is a WLAN having Internet Protocol Security (IPsec) 
based security association between the APs and the mobile terminals that are 
within the WLAN. However, the invention also finds utility for maintaining 
any type of dynamic security association, such as HI PERL A N/2 radio level 
security functions. 

In accordance with the invention, authentication of a mobile terminal during a 
handover event is achieved by a challenge/response procedure. In accordance 
with this challenge/response procedure the new AP sends a challenge to the 
mobile terminal, whereupon the mobile terminal (MTj responds by sending a 
response to the new AP. 

An authentication key for both ends of the communication pair that is made 
up of a mobile terminal and an AP is originally generated by a scaleable key 
management protocol, for example Internet Key Exchange (IKE). Security- 
associations are transferred between the various APs that are wiihin the 
wireless communication system in order to avoid the need for a new and 
different key exchange during each handover. 
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!„„dover process, and the keys and o.her mlormatton 

A ,he new A, in one or nrore handover nressa.es that pass be.ween 
I 1 1 and the new AP. The exchan.e or authentication ehaHen.es and 

between the new AP and the mobtle tertntnal that ts 

,„ accordance w.th a feature of the inven-ton. the nressa.es are nredtunr 

access control (MAC) messages. 

authenucauon is a desirable bu, an optional tenure. 

Whlle a sectrre eonneetton ts preferred between aecess poor,, such a feature 
is not recurred by the spin, and scope of the invenuon. 

The se and o.her features and ad.anta.es of the |^^^ of 
those of in the ar, upon reference to the fo.iowtn. dctatled 
thein ven,,on.wh,chdescrip,,o„nra k es reference to the drawtn.. 

BRIEF DESCR.PTU)* OF THE DRAWINGS 

p.C.t.sashowin.ofaconrntttnicationsystetrrtnwhiehanenrbodtnrento, 

the present invention is operable. 
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FIG. 2 is a showtn. of a forward handover process ,„ accordance with the 
invention. 

FIG 3 is a showtn. of a backward handover process , accordance with the 



invention. 
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FIGS. 4A-4C provide another showing of the forward handover process of 
FIG. 2. 



FIGS 5A-5C provide another showing of the backward handover process of 
5 FIG. 3. 



FIG. 6 is a showing of a HI PERL AN/2 forced handover in accordance with 
the invention. 

10 FIG. 7 is a showing of a HIPERLAN/2 forward handover in accordance with 
the invention. 



DETAILED DESCRIPTION OF THE INVENTION 

FIG. 1 is an example of a communication system that provides for radio 
commumcations with and between a plurality of mobile terminals, of which 
mobile terminal 12 is an example. In another example, an access point covers 
the radio interface and fixed network bridge, with the access points connected 
to the fixed network, this example not requiring the CCU shown in FIG. 1. 
Communication system 10 forms a WLAN that provides radio 
communications with a plurality of mobile termmals 12 as set forth in the 
IEEE 802.11 standard, as well as, potentially, pursuant to a proprietary mode 
of operation, as is described in the above menuoned copending patent 
application. Other communication systems are analogous, and operation of 
the present invention is also operable in such other communication systems. 

WLAN 10 includes a plurality of spaced-apan APs 14 and 1 14 that are 
individually located at two spaced-apar; geographic locations. While only 
two APs 14,1 14 shown, in actual practice a greater number of APs are 
utilized. APs 14.1 14 are sometimes referred to as base stations or remote 
antenna devices (RADs). The term "access po.nl", "AP". or "ap" shall 
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lAim noinis of access to the 
gencrally b e used here, to identify ~ ^ J he _ _ bik . 
network infrastructure of conunun.ca t on system ^ 

points of access to access points. 

c ircuitrv 16 that is capable 
a i «f the APs 14 1 14 includes radio transceivei cncu.tr. 
Each of the APs 14, luminals 12 when 

of transcciving radio communication signals * itn 

— s pes— — — - » - 

par „c Ul ar AP. Oene.au, a nrootle - - « > _ „ 

14,1 14 when tlre ntooile ternttna. is pos.uon d „h n a ^ 
ce „ , 8 ,„ 8 ,„a, ,s proximate ,o and defined by . * v ess p 

,. cell 18 is assocated with access po.nt ^ - - ^ 

, „ ,iq ,, S ociated with access point lit. "» 
withineelUS.andcellUS.sassoeta llentali on of the invention 

mod e selectot 34 is included only when an tntplemontauon 
5 ris propnetatytadiolinK.e.cl ntessa.es, this not betn,* re q u„ed 
.mplementation of the invent.on. 

oints ,4,14 ate coupled to a centta, eontto. on,, (CCU, 22. CCU 2 
Access po.n.s 14,1 conne ctions to an 

1S typ ,ca„y a hah „t an IP router. CC - P- ^ ^ ^ 

20 external communtca.ton network backbone _ 

comm „nica,ion devtces, such as other contnmntcauon sta 
con _,ion networks arc ,yp,ea„y coupled ,0 

— 1 ' s - y - a i;::;:i;^:::::ioa,,on , sta,,o,ts 

backbone Also, local communication between . 

backbone- between pairs ot mobile 

zszxzszzz. 

separate radio-links. 
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APs 14,1 14 include control elements 28 that perform various control 
functions related to operation of the respective APs. In FIG. 1 control 
elements 28 are each shown lo include a comparator 32. a mode selector 34 
and a handover availability determiner 36. which control elements are 
functional and are implemented in any desired manner, such as. for example, 
algorithms that are executable by processing circuitry. In another 
implementation, the functions that are performed by such elements are located 
elsewhere, such as at mobile terminals 12 as indicated by block 28', or at 
CCU 22 as indicated by block 28". Thus, the functions performed by the 
control elements can be distributed amongst several different devices. 

Note that in accordance with the invention, comparator 32 includes security 
functions, and blocks 28 include medium access control (MAC) functions. 

In the construction and arrangement of FIG. 1, and as taught by the above 
mentioned copending patent application, a communication pair that consists 
of an AP 14,1 14 and a mobile terminal 12 are operable pursuant to a IEEE 
802. 1 1 standard-mode when it is determined that the communication pair are 
not both proprietary-mode compaiible. or they are operable pursuant to the 
20 proprietary-mode when it is determine that both members of the 

communication pair are proprietary-mode capable. In order to produce this 
result, a comparator 32 receives identifiers that identify the operable-mode of 
both the mobile terminal and the access pom, that form a communication pair. 
A mode selector 34 then selects the standard-mode of operation or the 
25 proprietary-mode of operation for communication between the mobile 
terminal and the access point. 

As the physical position of a mobile terminal 12 changes from cell IS to cell 
1 1 S during a given communication session, mobile terminal 12 leaves a firs! 
30 geographic area 18 that is serviced by AP N. and ,hcn enter a second 
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This cell-io-cell or area-to- 



ap 114 This cell-io-cell or aica-i^. 
seraphic area 118 that is serviced by 14 
ar ea movement re q u,re S a Handover or con,. - on, ^ ^ 

- - — - r;;:— — <— - 

with the second area 118, thus pen 
5 mobile terminal 12. 

^ inHirnions io mobile terminal 
Hando ver availability determiner 30 P™^ ^ ^ ; „ posslble . 

12 of , h e avaiiabie APs ,o which . hando e o, c ^ ^ 

lhis availab iU,y h=in g con,a,ned ,n an avai.a ^ 
, 0 co „ l ains,heide n miesof,heAPs,ha,areav J1 la W e t o 

communications. 

oin, lis, 38 can be communiea.ed ,o the n,obile terminals 
Available access point list 38 can ^ ^ 

, 2 ., s e,ec,=d ,n,e intervals, or access pom, U „ . 

. ,,,, when the mobile terminal is initialis 
15 i::;;;::o:,I,: f ne W or k pre f ,esca„bensed,„prov,de t hesa m e 
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•t „,;n he assumed that a security 
ln thlS explanation of the invention ,t will be a, ^ ^ 

,SA> exists between mobile terminal - and 
20 association (SA) exists u;, terminal 1 2 and AP 14 share 

, P \4. That is, it will be assumed that mob,., te m, 

«n «t of kevs and other information thai i* neces . 

— n 
— * — * ihai - ncede r: : :,errop,.o,, . f .,.^ 

, he use of public key encryption. ■ inle rrup,ion 

lral fic transfer to and from mobile terminaiUisnnn, 
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or .his type being very i mportan , for reaMime B 
(VOIP) and video distribution. 

In accordance with the inve„„„„. an authentication key or secarirv 

' "Tr" 0 " "" b ° lh e " dS ° f "» It* ti,. the „„k ..a, invo.vcs 

mobde termina, ,2 and AP ,4, „ g eneraled bv „ se>| . We ^ ^ 

protoco,. such as IKE, i, being noted that Diffie-Heltaan key exchange 
protocol can also be utilized. 

- Later, when mobile ternrina, ,2 moves from eel, , S and its AP ,4 to eel, US 
and „s AP , ,4, authenticate during the handover process is achieved by the 
~-s s,„,p,e Challenge/response procedure. Also, securi, associates 
are transferred between o,d-AP ,4 and „ew-AP , ,4. thus avotding the need 
for a new key exchange during a handover front old-AP 14 to new-AP , ,4. 

During the challenge/response procedure. new-AP ■ 18 sends a CaHenge to 
mobtle termina, ,2, whereupon mobile terminal ,2 sends a response to new- 
AP 11 S. In add.tion, mobile terminal 12 authenticates new-AP I ] S in a 
similar manner during the handover. 

The keys and related information are requested by new-AP I ,4. whereupon 
•hey are transferred from o,d-AP 14 to new-AP 1 ,4 in handover nressa.es 
Similarly, the exchange of the authentication challenges and the responses 
thereto are integrated into the handover signaling that occurs between new-AP 
1 14 and mobile terminal 12. 

FIG. 2 shows a forward handover tllO, process 20 ,„ accordance with ,|,c 
invemton. this being a preferred embodimen, of the invention. ,„ forward 
handover process 20 the handover signaling is sen, between mobile terminal 
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.iii This tvpe of handover is 
(M Tom,.,l2»»dnew.,cce S sp. i nUAP.r aP )n4. Ph.s y 

, nvcm , 0 „. t.'^^^szL^^.-^ 

,er m ,naM2 communion wuhoid-A, ' , 

handover a herein, op.ion is .0 use .he ra er « ^ ^ ^ 

a ,so ,r, gK er backward handover^ ! ■ ^ , om oW . AP 

"- d,oindic ::;: b ::::i;a:::i r .,'- i a, i o„ (SA >33 h a S 

14 and connect to new-AA ih 

already been prepared for mobile terminal 1 2. 

, h „ the tern, "old-AP" means an access point such as access point 
5 As used herein the term „v or currently communicating- 

Thu , the tern, ^ aiso nrean ^ handover is 

terminal 12 is communicating at a., me 

required. 

20 „„ ... no ; n i such as access point 

A , used herein the rem, "new-AP" means an ac.e>s pen, 

, 4 ,„ h W h,c„ mooiie termrna, ,3 »« — ^ * * ~ 
mob „, „— - 8 .^ca lly ...ve- - ^ % ^ h mobik 
US. Thus, the term "new-AP" also means a man. A 
,ermn,aU2wmco m mun,catm,aHeraco canon handover 
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completed. 
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invention can be accomplished in other systems than IEEE 802.1 1 The use 
of extended MAC (medium access control) messages in FIGS 2 and 3 to cam 
the additional parameters over the radio interlaces is however beneficial in " 
that the need to send additional messages is avoided. 

I" order to guarantee security, u is desirable that messa,es that carry the kevs 
be cphered. Therefore, the transfer of security associate or SA and other" 
control traffic between APs 14,1 14 is shown as being encrypted and 
authenticated by IPsec. 

The specific means whereby it is determined that mobile terminal 12 has 
physically moved relative to cells 18.1 18. such that handover is required, is 
not critical to the present invention. For example, the procedure can be 
analogous to that used in conventional time-division cellular systems that use 
mobile assisted handover procedures. In general, mobile terminal P tunes to 
control channels of the base stations or APs of adjacent cells such as cells 
18,1 18, for example at timed intervals. The signal strength, or some other 
Signal characteristic such as bit error rate, of the signals that are broadcast on 
these control channels are then measures or sensed by mobile terminal !2 
Uplink signals that are based upon this measurement at mobile terminal P are 
then sent by the mobile terminal to network 10. whereupon network 10 
determines whether a communication handover should be effected When it is 
determined that handover is required, instructions are sen. to mobile terminal 
P, and the communication handover process of FIG. 2 or FIG. 3 be-ins. 

FIGS. 4A-4C provide another showing of forward handover process 20 
wherein communication handover of mobile terminal 12 is provided relative 
■o o.d-AF 14 and new-AP 1 .4 as mobile terminal moves from cell I N ,o cell 
US. In this figure a mobile terminal or MT is also referred to usm, the term 
"mi-, and an access point or AH is also referred ,o using the term "ap". 
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4 ».- r nrocess *>0 is initiated ai mobile 
, n FIG 4A forward handovei process _u 
With reference to FIU. 4A. hnn dovci is 

ternrina, U by *. yes o„,pu, ,00 of even, 40, ,nd,ca, , „ 
requi red. Mobtie ,erm,na, .2 — opera.es a. tuncon ,02 .o 
5 radio handover function. 

A , fanction 403 n,obi,e .ermina, ,2 .enera.es a cha,,cn S e ro new-AP, M. 
At tuncuon n r A cc nnA TF REQ message that 

whereupon at function 404 a MAC _REAbSOC 1 A J 
contains -mt.challenge" is sent to new-AlM 1 4. 

10 ^ At\d whereupon new-AP 1 14 

At function 405, new-AP .14 accepts message 404. Mtc p 
opera ,es a, .'unction 406 to send a handover revest to o,d-AP 

15 parameters SA.SA from t.s secnr.ty assocat.on database. ,0 A 
epera.es a. function 40* .o send a handover re.ues. ,ha. contatns 
parameters SA.SA to new-AP 114. 

Wi.h reference to HO. 4B. nccc-.AP 1.4 now operates 
2fl create . securiIy association ,SA, operates a, funcon 

challeng e .o acbenticate mohtle .erm.na, ,2. operates at. on 
c a,cu,a,e a response ,0 the "m, ,ha„en s e" .ha, was eontamcd nG. 

:-:rr;::-:—: % -r 

contains the "ap_challengc mai 
and contains "other information-. 

MoM e,crm,na,,2 now opera.es 4,3 : ^»;»^ elolhc 

30 association parameters, operates at tunctton 414 u, ,al,uh 
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"ap.challcnge" that was received by way of message 412. and operates at 
function 415 to compare the 'ap_ response'" that was received by way of 
message- 412 to the correct or expected response. 

i When the comparison performed by ft.nc.ion 4 ! 5 produces a correct compare 
function 416 operates to authenticate new-AH 114. whereupon function 417 
operates to send a MAC_AUTHENTICATE_RESP message to new-AP 114. 
this message containing the "nu_response" that was calculated at function 
414. 

With reference now to FIG. 4C. at function 418 new-AP 1 14 operates to 
compare the "mt_response" that i, received by w ay of message 417 to the 
proper or correct response, and when this comparison produces the correct 
compare, function 419 operates to authenticate mobile terminal 12. New-AP 
1 14 then operates at function 420 to send a MAC_REASSO.CIATE_RESP 
message to mobile terminal 12, whereupon handover is completed and mobile 
terminal 12 thereafter operates at function 421 to resume its payload traffic 
using new-AP 1 14. 

FIGS 5A-5C provide another showing of backward handover process 30 
wherein communication handover is provided lor mobile terminal 12 relative 
to old-AP 14 and new-AP 114. In this figure a mobile terminal or MT is also 
referred to using the term "mt". and an access point or AP is also referred to 
using the term "ap". 

With reference to FIG. 5A. backward handover process 30 is initiated a, 
mobile terminal 12 by the yes output 500 of even, 50! indicarins that 
handover is required. Mobile terminal 12 now operates a. function 502 to 
send a handover request to old-AP 14. 
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«P is received at old-AP 14. function 503 accep-.s the 
When message .^02 .s recused associali on parameters 

mcssa ,e. function 504 op.ra.es to retr.e^ - • 
SA . SA from ,ts seenritv assocauon ,SA, data has, am, Km " ■ 



114. 



o a SA thal were received in message 505. new-AP 114 
Pcin» the parameters SA.SA tnai weic i 

New-AP M4 .hen operates ..« U .n ,0" - «■ 

10 authenticate mobile ter ». P- - « ^ ^ wa4 

se „, ,. old-AP 14. this request 50* including the up,U,ul - 
generated a. function 507. and "other information 

■ „ FtC 5B in response to message SOS. old-AP H 
With reference now to flu » 0C1ATE messas e ,o mobile 

, 5 operates a, func.ron 509 to send a M AC.D1S ASSOC1. 

I mi „a, ,,t h ,s m essa g ec 0 nta,n,n g .he.,p_cha„en,e an he h 

i j AP 14 received from nevv-AP 1 14 by ua> 
information" that was old-AP 14 recei 

message 508. 

i n .wtivites its radio handover 

20 ,„ response to message 50,. mobile ,er a, ! MCurity 

action a. 5,0. At function 51 1 mobile tc a, U n o u,x 

.socation parameters, a, functton 5, 1 mob,, term,,, 1 -a . 

„,c„l.,c a response ,0 the ^challenge' portion o ssa L _ . 

Ljlcl . . ., ., r »ne i: ne a challenge to 



Mh n,c,io„ 5,3 mobtletcrmtnali: operates to generate a chae ? e 

■ , v \P I 1 4 and a, function 514 mobile terminal 
authenticate new -Al 114. Messa ge 514 contains 

MAC KE.ASSOClATEJcEQ message to new 

' , , ,„,, was calculated a, funcon Ml. .he mt.challc,.,- 
ihe "mi_respon.se maiwa.-.cu 

Ura, ,J generated at function 512. and other information . 
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With reference now to FIG. SC. function 515 provides authentication of 
mobil, terminal 12. function 516 compares ,hc ".m.response" .ha, was 
received by way of message 5 1 3 to the correct or expected response, function 
? I 7 calculates a response to the ",„,_ challenge'' ihai was received by way of 
message 5 1 3. and function 5 1 8 operates to send a 

MAC_REASSOCIATE_RESP_ENH message to mobile terminal 12. message 
51 S containing the '^response" that was calculated by function 517. 

At function 519 mobile terminal 12 operates to authenticate new-AP 1 14 bv 
comparing at function 520 the "no response" contained in message 518 with 
the correct or expected response, and as a result of this correct comparison. 
Junction 521 causes mobile terminal 12 to resume payload traffic usin, new- 
AP ] 14. 

From the above it can be seen that the present invention provides a 
method/apparatus the provides for information security when communication 
with a given mobile-terminal 12 is handed-over from a first access-point 14 to 
a second access-point 1 14. A communication system 10 is provided having a 
plurality of access-points, each access point serving a different geographic" 
area that is within an overall geographic area that is served by communication 
system 10, and a plurality of mobile-terminals 12 arc provided wherein the 
mobile-terminals are individually physically moveable within the overall 
geographic area and between the different geographic areas. 

In the handover process/apparatus of the invention, firs, u is sensed when a 
g.ven mobile-terminal 12 moves from a communication-influence with a Inst 
access-point 14 into a comnumication-infh.ence with a second access-noim 
114 (see 401 of FIG. 4A and 501 of FIG. 5\j 
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,v„-imeiers are fetched 

w „e„ ^ > u - u " , >:;:7;:;;;r: „,<, — - 

,y„ m n» .coess-poim M Isee 40, .1 ■ • ^ „„„ >he 

vocation is created a, second access pomt ^ ^ ^ ofrlo , 

relriev ed sec U ..V-assoe,a l io„-pa,a m e,e.,sc U in 

5A , a securiry association created , ■ ^ ^ ^ rf 

accordance with .he retrieved secmy-assoca, 

FIG. 4B and 510 of FIG. 5B). 

•■„ ■ lt ce-is-point-cliallenae is 
Also . when such a move is ^^2^^ '» ,S « 4M °' 
sen. from given mooile-iermmal U • 

FIG. 4 A and 513 of FIG. SB,, and an attthe k m mo ^ ^ 

FIG 4B and 508 of HO. 

cha „e„ 8 e is an opuona, feature of the inventmn. 

givenmob i,e.,erm,na,I, second -. - n MSc „ I( , 
aul hentrca.e-access-poin,-response (see ,.n»i».« 
a^rhisauthenucate-access-point-responscssem r 
20 ,2 (see 412 of FIG. 4B and 517 01 FIG. act 

I .Vtlletve that is received 
ln resp „„se to the .»^c.«-.«*.'-™'^ , ; „„„ ca|culat es an 

,,,„„ second acccss-potn, .14. ,iv« ; ^ jR ^ .„ of F10 . 

aotlrenticate-mobile-terminal-rcsponse .sc. - . J ^ 

" point 1 14 tsee 417 of FIG. 4B and 513 ol 

r >nerues 10 compare the 
authemicate-acccss-point-responsetha,,. 4 „ alK , 519 of FIG 

30 ,14,o a correct or an expected response tsec 
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* 1. „nd . second-compare „ sccolK| ac , css .„„ im , M iimv 

compare „,e °«.hen,ica,e-mobile.,enn,„a,-resp„,,, „„, ls received ,.,„„, 

;:i t "; o *- ttra " M ' 1 2 » • — - - — ^ ;.. 

i IG. 4C and d 1 5 of" FIG. 5C). 

Finally. commnnicanon is inilia , ed ^ ^.^.^ p 

-ond access-pom, , m based upon ,he outcome of, he firs.-compare B „ , „,, 
second-compare (see 421 of FIG. AC and 520 of FIG. 5C). 

FIOS^ and 7 show ,,„ additiona| embodi „, ems „ f ^ 

specific details of lire FIGS ,, -„„i i , , 

IC 'S 0 and , embodiments differ in ,l,e specific details 
llrereol, lire comem of tire- FIGS ft „„i 7 , ,■ 

6 J,K| ' embodiments will be readily 
apparent by way of a comparison to the above described FIG 2 j 4A 4B 
and 2A-5B embodinrenls of the invention. 

While the inventton has been described in detail while mahine reference to 
preferred embodiments thereof, no par, of , his detailed description is not to be 
■ hen as a limttation on ,„e spin, and scope of the invention, stnee ,, is ,„„„.„ 
: .o,e rski „edi„,hisar,w„, read,,, visualize yet other embodiments, ha, 

- w.,h,o .he sp.ri, and scope of ,„is inven.i,,,, once the invention is 

generally known. 
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What is claimed is: 

r|airo , A method of providing information security when 
location with a given mob.ic-ter ta, ,s handed-over front * 

— -° ndac " ss : po ::;::::;:;::ii:i-ce SS .oi„t S . 

providing a communication syMem hav m r J 
each access pent servin, a different graphic area withtn an ovetaU 
graphic area that is served by said communication system: 

pr „v,d,ng a piurahty of ntobiie-.erminais that are each phys,ca„> 
JLwtth.:, said overai.geograph.c area and between said d.f.eren, 



mov 



geographic areas; 

sensillg when said given mobile-terminal moves .torn a 

comm :„,cat,:n-,nnence wtth sa,d firs, access-potnt tnto a commnntcatton- 
influence with said second access-point: 

responds to satd senstng step by retnevmg secnrtty-assoe.att n 

Lid second access-po.n, in accordance w,,h sa,d retried secnr.ty - 
association-parameters, and by creating a seenrhy assocat.on a, sa,d 
:li,e-tern tina, in accordance with sa,d retrieved secuntv-assoctat.on- 

Parame :i:::lommn„,cat,o„ between sa,d g,ve„ mobtie-termina, and sa.d 
second acccss-po,n, based „p 0 nsa,df,r S ,c ,:,,„,, s,cp and sa,d second- 

comparing step. 

; CHim , The method of clam, I including the steps of: 

' ;espo,,d,n f ,osa,dscn,s,n S s,epbysend,,,,ana,,,hen,,catc.acces,^ 

p „i„,-cha,ien S e from sa,d ,,ve obih-term.nal ,o said second » 

and by send,,,, an authenocate-mob.lcerminal-cltuUenge iron, sa,d 
access-point ,0 said given mobilccrminal: 
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generating an autiienticate-access-puuil-response at sa.d second access- 
point in response to said authenticate-access-point-challenge received from 
said given mobile-terminal; 

sending said authenticate-access-poini-response to said given mobile- 
term inai; 

generating an authenticate-mobile-.cniiinal-responsc a. said given 
mobile-terminal in response to said authenticate-mobile-terminal-challenge 
received from said second access-point; 

sending sa.d authenticate-mobile-ierminal-response to said second 
access-point; 

first-comparing said authemicate-access-point-response to a correct 
response at said given mobile-terminal; 

second-comparing said authenticaie-mobile-terminal-rcsponse to a 
correct response at said second access-point; and 

initiating communication between sa.d given mobile-terminal and said 
second access-point based upon said first-comparing step and said second- 
comparing step. 

Claim 3. The method of claim 2 wherein sa.d plurality of mobile- 
terminals have a media access control layer and compatible physical layers, 
and wherein said messages are media access control messages. 

Claim 4. The method of claim 3 wherein said messages are transmitted 
within a wireless LAN such as IEEE 802. 1 ! o. HI PER LAN. 2 mult, pie access 
messages. 

Claim 5. The method of claim 2 wherein said communication system is a 
WLAN communication system wherein a security protocol is used to provide 
end-to-end security for data packets. 
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Cain, 6. The method of Cairn 5 wherein sa.d end-to-end seem 



itv IS 



JU - 

same encryption and/or authenucat.cn ke> at 
link. 

Claim , The method of c,a,m 6 where,,, a sealaole ^management 
, m pfri t kevs for said security protocol, 
protocol operates to generate symmetric U> 

~;„jr:r::::ii:r;:= rr-— 

cwm9 . Th = method ofclaim 4 inc.udmg the steps of: 
providing said communications system as a LAK. 
providing a -»e, wUhin said LAN: ,. c . es , ablishme „, 
0 pr ovidin, key management and secun.y assouatton 

a *v>,\ security association. a* Lomnium 
modification to an end-to-end secu.u 

conunues dm,,, sa,d ^"^.^nrr^-" 
communications handover atiecis only sccu..i> tunc 

25 mobile-terminal and said first and second access-pom.. 

i -.ui 1 \N includes Internet 

Claim 10- The meihod of claim 9 whce.n said LA. 
Protocol Securitv hased security assocation ocnveen s.„d plural, . 



points and said plurality of mobile-terminus. 
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Claim 11. The method of claim 1 wherein an authentication key is 
provided for both ends of a communication pair .hat is made up ol said given 
mobile-terminal and sa.d first and second access-points, said authentication 
key being generated by a scalable key management protocol. 

Claim 12. The method of claim 1 wherein an authentication key or security 
association exists between said given mobile-terminal and sa,d first access- 
point in accordance with a scaleable key management protocol: and wherein 
security associations are transferred between said plurality of access-points in 
order to avoid the need for a new key exchange during a communication 
handover. 



15 
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Claim 13. The method of claim 12 wherein said sealable key management 
protocol is IKE. and wherein security associations are transferred between 
said first access-point and said second access-point in manner to avoid a need 
for a new key exchange during said communication handover from said first 
access-point to said second access-point. 

Claim 14. The method of claim 13 including the step of encrypt, ng 
messages that that cany the keys. 

Claim 15. A challenge/response method for maintaining a security 
association when a communication-handover event occurs in a radio 
communications system, comprising the steps of: 

providing a communication-pa.r that is made up of an access-point and 
a mobile-terminal that is experiencing a communication handover to said 
access-point: 

sending a first-challenge from said mobile-terminal to sa,J access- 

point: 
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"" i t^.fl-^»-^ n ~- e, " ,ta,,,, "" ,d 

calculating a second-response to sa.d ,ece, 

nrs ,.comp a rin E said received nrs,-respo„ S e,o a correc 

10 S a,d mobde-termtnal. seco „d-response to a conec, respond 

second-comparing said rece, 

„ sa,d access-potn,; and access .po,n, and said mobile- 

beginning commumcauon be,«ee second . comp ae,ng 
rermina.asafunenonofsa.df.rsr-comparmgsrep 

15 step. 

system is selectedfrom.be group IEEE 80—1 

. „ The method of claim 1 5 -here,,, sa,d mobile-termtnal is in 
20 Claim H. The roetnoo „ „ rlor ,o said communication- 

com man,ca t ,on with a another access-pen, prto J 
tandove , even,, and wherein said 

Iha ,,„s,s between said mobile-term.nal and sa.u and, 

- , ;„;,„■ a .men security-association in a 
» Clano ,8. APP— lor ^'^^^^ occurs as a 
, ad ,o communications system » hen a ^ „ ia , is served 

mob „e-,ermina, physical moves from a l.rst geog p • ^ is 

b.anrstcommnnicat.on-access-poim.o , = ^ 

«n- by a second communication- pc c „ mmunic a„on. 

w milially forming a f,rs. communicauon-mnr u ,.n s.„ - 
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access-pouu. and after said communication-handover said mobile-terminal 
terming a second communication-pan xvith sa.d second communica.ion- 
access-poim. each member of said firs, communication-pair havin, saici „ iven 
secunty-association associated therewith, the apparatus comprising 

Its, means at said mobile-terminal lor sensing a need to initiate said 
communication-handover; 

second means within said radio communications svstem and responsive 
to said first means sensing said need to initiate said communication-handover 
for establishing said given security-association at said second 
1 0 communication-access-point: 

third means at said mobile-terminal for generating an access-point- 
chaJlenge as a function satd given security-assoc.auon. and for sending sa.d 
access-point-challenge to said second communication-access-point; 

fourth means at said second communication-access-poim for generating 
15 a mobile-terminal-challenge as a function of said given security-association * 
established at said second communication-access-point. and for sendin a said 
mobile-terminal-challenge to said mobile-terminal; 

fifth means at said mobile-terminal and responsive to said mobile- 
terminal-chal.enge for generating a mobi.e-terminal-response a, a function of 
-0 said given security-association, and for sending said mobile-terminal- 
response to said second communication-access-point; 

sixth means at said second communicat.on-access-point and responsive 
to said access-point-challenge for generating an access-point-response as a 
function of said given security-association established at said second 
2, communication-access-point. and tor sending said access-point-response to 
said mobile-terminal: 

seventh means a, said mobiie-terminal and responsive to said ac ess- 
point-response for determining if said access-point-response is correct as a 
function of said given security-association: 
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respons We » satd n^Ue-te^naPresponse ^ ecun , y . associal , 0 „ 

establishcd „ S a,d -o^o— ^ ^ s>siem ^ respons , ve 

mmW mMM w, h,„ s3iJ communicali o„-hando,er 

lo sai d eighth and ninth mean, to, - . response are 

correct. 

,o The apparatus of claim IS wherein said ,ad,o 
Claim 19. The app H 1PERLAN. 
system is selected from the group 1ELE b0_. 

rl - 20 A meth od for mamtamm, a ,iven securUy-associa.cn in a rad.o 
Claim 20. a mcmu Uan(1 nverbf a mobile 

,lr with said second communication-access { 

com :::;r: tinn,c a t, 0 n. Pa ,,- - „«. 

20 rl t ol looted ,he re ,„h. t,, method ^ - - °' 
- ,„eedlo.n,«a. eS aidcon im .,n 1 cnt,o, 1 .handovu. 

SenS ' nt „ tslncedtoinitia-esa.deo 

responding to said m- , -, jd second commun.ealton- 

eslabl ishin £ said green second -association a, satd ^ 
25 aceess-pointm response thereto: oinl . chB „.:„ g « as a 

generating a, said moMe-,=nn,nal an — , 
function sa,d green secomy-association: communi cation- 
i„d.ng said access-poim-challenge ». 



send 
access-point; 
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generating at said second communication-access-po.nt a mobile- 
rer m ,„a.-cha,.e„ g e as a function of sa.d given security-association established 
at said second communication-access-point; 

sending said mobile-terminal-challenge u> said mobile-terminal 
responding to said mobile-terminal-challcnge at said mobi,e- t erm,na. 
and generating a mobi.e-term,nal-response as a function of said uiven 
security-association; 

sending s.id mob„e-,e, m ,„al-re S| x,nse ,„ said second .on, m „„ic.,i„„. 
access-point; 

responding to said access-point-challenge at said second 
communicauon-aceess-point and generating an access-point-response as a 
function of said given security-association establtshed a, sa,d second 
communication-access-point; 

sending said access-pomt-response to said mobile-terminal 
responding to said access-point-response at said mobile-terminal and 
determining if said access-point-response is correct as a function of said 
given security-association; 

responding to said mobile-terminal-response at said second 
communication-access-point and determining if said mobile-terminal- 
response is correct as a function of said -iven 

saiu _i\cn M-cumv-assouaiiun established 
at said second communication-access-point; and 

establishing said communication-handover when both sa.d mobile- 
terminal-response and sa,d access-point-response are correct. 
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